Supporting and Securing Programs inside Web Browsers
Today's browsers are being placed in the role of operating systems for
complex programs from the web. Recent versions of browsers are starting
to reflect this new workload, providing better performance and greater
robustness to failures. Improving security is an important challenge as
well, given the valuable private data that now lives on the web. In
this talk, I will discuss how new browser architectures can help protect
the user's local computer with sandboxed rendering engines, as in Google
Chrome. I will also describe challenges for architecturally isolating a
user's web accounts from each other, and ideas about how we might
Building a Safer Web
Web content has shifted from simple documents to active programs, but web browsers and protocols have not evolved adequately to support them. As a result, safety problems in web browsers and web sites now regularly make headlines, from browser exploits to ISPs that modify web pages. In this talk, I will discuss my research in improving the safety and reliability of web browsers and web content.
I will focus on two recent projects: multi-process browser architectures and web tripwires. First, I will show how current web browser architectures allow disruptive interference between web-based applications. I have identified backwards compatible abstractions that can be used in the browser's architecture to isolate such programs in a robust way, and I have helped incorporate these abstractions into the Google Chrome browser. I will present an evaluation of how this architecture improves the browser's robustness against interference.
Second, I will present a web tripwire mechanism for detecting in-flight changes to web content. We have used web tripwires to show that many clients receive pages that have been altered before reaching the browser, with consequences ranging from injected advertisements to new security vulnerabilities. Many sites are unwilling to bear the costs of switching to SSL for integrity, so I will show how web publishers can use web tripwires to detect such changes to their own content.
I will conclude with an overview of my other research, including the BrowserShield interposition system, as well as future directions for improving the safety of programs on the web.
The Security Architecture of the Chromium Browser
Joint work with:
and the Google Chrome Team
Web browsers must often handle untrusted or malicious code while
protecting the user. However, most current browsers have a monolithic
architecture that combines "the user" and "the web" into a single
protection domain. In these browsers, an attacker who exploits an
arbitrary code execution vulnerability can install malware or steal
sensitive files from the user's computer.
In this talk, I will discuss how the architecture used by the Chromium
browser (from which Google Chrome is built) can help mitigate these
high-severity attacks. Chromium has two modules in separate protection
domains: a browser kernel, which interacts with the operating system,
and a rendering engine, which runs with restricted privileges in a
sandbox. I will show what types of attacks this architecture can help
mitigate as well as what challenges it faces for addressing other threats.
Building a Safer Web: Web Tripwires and a New Browser Architecture
Web content has shifted from simple documents to active programs, but web protocols and browsers have not evolved adequately to support them. As a result, safety problems in web sites and web browsers now regularly make headlines, from browser exploits to ISPs that modify web pages. In this talk, I will discuss my research into improving the security and reliability of web content and browsers.
After this, I will talk more broadly about my research on web browser security, focusing on the deficiencies of today's web as an application platform. Starting from my prior work on BrowserShield, I will show how we need a safer architecture for running programs within the browser. Like an operating system, this new architecture will need effective mechanisms to define, isolate, and enforce policies on these web programs.
- Berkeley TRUST Seminar.
May 8, 2008.
EE 380 Colloquium. March 12, 2008.
[Windows Media video]
- Google Tech Talk, Mountain View, CA. March 10, 2008.
- Google Tech Talk, Kirkland, WA. January 17, 2008.
- Amazon Developer Conference, Seattle, WA. January 16, 2008.